bilgi guvenligi

Do You Know That The Information In Your PC Is Spreading Around??

We know that electrical and electronic equipment may have intentionally or unintentionally electromagnetic energy radiation to their surroundings. Wireless transmitters, mobile phones, radars, detectors, wireless data transmission systems do voluntarily emit this energy. But it is not desirable for a computer, copier or projection device to emit electromagnetic energy around. As I mentioned in my previous article, TEMPEST is a term that refers to unintentional electromagnetic energy emissions caused from electrical and electronic equipment that process confidential information, and also a code name by U.S. to investigate, examine, and control such emissions.

Although it seems utopian, TEMPEST is quite an old method of intelligence. Once energy emitted from the electrical device is picked up by an antenna and receiver, it can be amplified and reprocessed, and sometimes image refined thus information leakage can be obtained. This method was brought to Turkey by a team that I myself was a member of, in 1990’s, a laboratory and technical infrastructure that can create, solve and test the TEMPEST Problem with completely national abilities was established and personnel were trained. The most striking point of the problem is that leakage from any information processing device can be obtained … information displayed on the computer screen, information read on the CD drive, information replicated on the copier, transmitted by fax, scanned on the scanner, printed on the printer … all the information processing equipment that can come into your mind, is a potential TEMPEST leak source.

Are you sure that your PC is safe with the precautions you had taken???

The simplest TEMPEST scenario is that; while you are writing a CONFIDENTIAL article in your computer, the exploiter is collecting the signals electromagnetically spreading from your screen and reconstructing it… just like collecting aerial broadcast information sent over kilometers and watching a TV programme in our living room… This process can be done surreptitiously upstairs, in the next building or in a panelvan with darkened glass parking in front of your office…just like you do not know who is watching your television broadcasts! This kind of leak is known as “radiated emissions leakage”. Another way of collecting information leaks beyond using an antenna is to penetrate the network which the information processing device is connected and reach to the information … Going through the same example, CONFIDENTIAL information in your computer can also be obtained by penetrating to the power network or internet network it is connected to, collecting the data by a monitoring probe, even from hundreds of meters away..! This method is known as “conducted emissions leakage”. Neither the update of the antivirus on your system, nor the power of your firewall means anything against TEMPEST, because if the information is open on your screen, the same information exists in the air and on your network, and therefore on the exploiters antenna and probe…

So, how can we become safe against TEMPEST Leaks??

Actually the risk is big, but some measures are quite easy. First, I must say that the only and safest measure of the leakage through the conducted emissions is the TEMPEST filtering to be done on the signal lines or the power lines. Filters are devices that prevent leaks out without affecting the operation of the device. Leaks caused by radiated emissions can be prevented by the use of special designed equipment. During my years at TÜBİTAK – UEKAE, I have directed National TEMPEST Filters, National TEMPEST Proof IT Equipment development projects. Today, thousands of devices we have developed are used in many critical govermental institutions and military areas. If you do not have a chance to use these special devices of high cost, you should pay attention to work in the special chambers with TEMPEST proof or having a large controlled zone by taking advantage of the principle that leakage signals decrease inversely with distance.

 

This article was published in periodical “Science and Technology to Everybody (Herkese Bilim Teknoloji)”, March 10th, 2017.

Information Security and Threats

The myriad measures we have taken for the security of our personal data may be making our daily life a bit more difficult. However, it should not be forgotten that everyday a new information stealing and intelligence method is being developed against every measure taken.

While we are spending so much time and effort in the simplest terms on our personal data, what can be the level  for institutions, communities and moreover for countries to ensure information security?

Protecting the information and against it, the intelligence activities carried out in order to acquire information bring to mind military and political issues firstly. When we have a look to NATO’s security structure for the sake of generalization, Information Security is at the top level under Basic Security heading, along with Physical Security, Personnel Security, Procedure Security and Document Security. In a subdivision, Information Security (InfoSec) contains Computer Security (CompuSec) and Communication Security (ComSec) components. Afterwards, the different security sub-units created for different threats, branching out as we go over the details …

So what are the threats that require so much precautions?

It is impossible to tell all the threats so long here, but I can clearly say that as we are discussing these issues now, some new intelligence methods are being developped somewhere… But in general, we can summarize the issue as seizing the information from involuntary emanations (passive intelligence) and attacting to information secured against unauthorized access (active intelligence).

Today, while corporations and organizations are struggling to prevent unauthorized access to data in computers primarily, thinking that they are safe by using firewalls and antiviruses, in fact, information is spreading around as emanations. For the unauthorized persons who are in passive listening mode, they only accumulate the information free in the environment with their technical capabilities. An old technology, “listenning to what is spoken in the environment by remote laser signals, by means of transducing the vibration generated on the glass into significant voice and texts (optical intelligence)” can still be utopian for somebody today. In the same way, using TEMPEST technology (obtaining information from electromagnetic emanations) to get the information from IT devices such as computer screens, hard drives, printers, scanners, etc., remotely from a distance of tens of meters, is still attractive, however it is first used in the 1960s.

“Emotional” analysis with wireless data signals: EQ-Radio …

You must have read the news that a group of scientists at MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) have conducted studies on analyzing emotions by sending wireless data signals and have 87% successful results. With the wireless signals sent, they can detect the excited, sad or irritated moods of the people. There is no doubt that this technology, called EQ-Radio, will be actively used to get more detailed information in the close future. The fact that wireless modems are widespread in every environment we are entering, will force you to embrace “what information can be gathered with the signals sent from the modems”. While we continue to feel safe with the antiviruses and firewalls we set, honestly, we live in an era when we can not guarantee that the information in our mind is not captured.

This article was published in periodical “Science and Technology to Everybody (Herkese Bilim Teknoloji)”, November 18, 2016

Bilgi Güvenliği ve Tehditler

Living with Information Security

Inspite we live in the era of information technology, it provides unlimited facilities to access information. It is not so far the days that we had to search the right library and then find the right source among thousands of books for obtaining the information we were looking for, but today, with a popular expression, information is just as close as hitting a key.

It is very natural that keeping confidential information is very hard in such an environment as it is so easy to access every information.

Information security, in general terms, is the whole of the work carried out against acquiring the information required to be protected, harm, the use, modification and recording of this information by unauthorized persons.

Although the concept of information security today is almost synonymous with cyber security, the work done to protect information is very old. We know that special messages from Julius Caesar, the great leader of the Roman Empire who lived in the 1st century BC, were tried to be kept safe with the technique we call Caesar Encryption today. The example of a more recent past is the struggle of intelligence and intelligence counterattack in the Second World War. Germany’s legendary crypto device Enigma, today when it is called cryptology, is the first thing that comes to mind even for people who are not interested in this science.

Is information security important just to ensure the confidential information and communication security of states?

Without any doubt, No..!

Information security is an essential aspect of commercial secrecy and even personal privacy. The steps that commercial companies take before their competitors, the policies and strategies they pursue, the R & D work they do, the financial actions and many other issues have a very delicate balance based on the provision of information security. We are using our mobile phones by dialing the pin code, personal privacy has a priority of everything…

The most interesting statistic on this subject comes up when judicial cases related to cyber security are examined. The new trend of information security violation is seizing digital game accounts… Yes, even though every day we hear an internet fraud news, the case of unloading the bank account, the digital game account theft is surprisingly the same size illegal revenue gate.

While talking about communication security, computer security, cryptographic security, RF security, optical security etc. coming across with information security in a much simpler phase of our life leads us to watch a thief-police struggle that develops with technology … And as a part of this struggle, we have to learn living by keeping in mind dozens of passwords to be used at every step we take in the virtual world today. How satisfied or dissatisfied we are in this situation, no commment…

This article was published in periodical “Science and Technology to Everybody (Herkese Bilim Teknoloji)”, September 16, 2016

 

bilgi_guvenligi_ile_yasamak